OFFL Security Issues

I admit it. I'm not a security expert. There are certainly some potential risks to your system via OFFL, so I'll try to outline them here

Passwords

• OFFL stores the MD5 hash of user passwords in the database. MD5 is considered more than sufficiently secure for passwords of admittedly little importance. MD5, not being a reversible algorithm, does not allow for password recovery. Additionally, I do not know of potential export restrictions on the MD5 algorithm (though I suspect it's fine). If you're running OFFL outside of the US, it's your responsibility to know the legal ramifications.
• OFFL does not send passwords in clear text. All passwords transmitted are first passed through a JavaScript implementation of the MD5 hash (thus, JS is a user requirement).
• OFFL is, as best I can figure, secure against replay login attacks. At login, the password hash is further hashed against a nonce kept in PHP's $_SESSION variable. The chances of an attacker having the same nonce as the target are infitesimal, even if the attacker has the target's password hash.
• Password editing does not have nonce protection, as MD5 cannot be reversed to remove the nonce. Hash knowledge is sufficient to gain system entry.
• The database login/password is stored in a PHP file. Due to the uncertainty of appropriate PHP include directories being present, this file remains in the web server's document root. Direct access of the file is blocked; however, unauthorized inclusion of this file or PHP execution failure could reveal the password. I am not expert enough to know a fix for this, so the best I can suggest is that the user provided have no permissions beyond the OFFL database.

Team Logos

• OFFL allows users to upload image files as team logos. Cursory file type screening is done, but I am uncertain as to its effectiveness. Additionally, PHP must be given write permissions to the logos directory.
• OFFL also allows offsite image linking. Various security risks (most notably password phishing) are present in this case, as OFFL obviously has no control over what may be running on remote servers. For instance, files with a .jpg extension might be mapped to the PHP engine.
• Offsite links must be successfully opened by PHP before they will be accepted.
• Offsite links are required to begin with "http://", preventing attempts to access local files outside the document root (I think).